Minutes IETF102: maprg

Meeting Minutes Measurement and Analysis for Protocols (maprg) RG
Title Minutes IETF102: maprg
State Active
Other versions plain text
Last updated 2018-08-06

Meeting Minutes

MAPRG Meeting at IETF 102
2018-07-19 9:30-12:00
Notetaker: Magnus Westerlund

Intro & Overview
Mirja K├╝hlewind
25 min

Mirja opened the meeting and wellcomes everyone. IAB has reviewed the RG and
how it works. Got Some feedback from the IAB and discussion about things to
do/change in future (see slides). Aaron Falk commented regarding conflict
resolution that for TAPS WG he sent out a question asking for people who liked
to be in the WG and couldn't. Mirja responded that this may be hard as it
depends on the RG agenda. Spencer Dawkins commented that people do know what
research they are doing and therefore could provide input quite early. Mirja,
however, commented that usually the agenda is not ready early enough. Colin
Perkins commented that with the increase in presentation on measurement
research with the ANRW and the MAPRG, it should be clear where things are
presented so that they are not brought up multiple times. Chairs considering
involvement in the Hackathon, but how is under discussion. Welcome to discuss
this further. Brian Trammel commented on MAT working group in RIPE (as
co-chair). Maintain loose information exchange if of interested for both groups
but slightly different focus. Aaron Falk commented that if one writes a blog
post, one gets a T-shirt.

Heads-up talk: Dmap: Atomating Domain Name Ecosystem Measurements and
Applications Giovane C. M. Moura 5 min
No questions.

Heads-up talk: Monitoring DNS with open-source solutions
Felipe Espinoza
5 min
Jon Reed - Akamai: Where are you capturing information? -> The authority
server of the chilean top domain. Had experience that capturing recursive and
figuring out the actual user experience is hard. Sara Dickison: What format are
you capturing the information pcap other? -> Not using CBOR.

Packet Reordering in QUIC
Ian Swett
10 min
Tommy Pauly: Client-side on packet re-order is this for both? -> Only in the
client direction. Aaron: How is this distributed over flows, a small number of
flows that causes lots of issues? Is it topology concentrated or more
pervasive? -> Ian didn't have the answer. Erik Nygren: Do you have sense how
much of how much is fragmented packets? -> They set DF on the flows, so
there should be no. Colin Perkins: Do you know which packets gets reordered?
-> A common case is that if one has queue pressure and then a small tail
packet, then it can raise ahead. Colin: Do you seen reordering in connection
establishment? -> Very little. Brian Trammel: I would blame WIFI for a lot
of reordering. Gorry Fairhurst: It would be interesting to know how this looks
for TCP. -> Ian agreed, that it would be.

Is Bufferbloat a Privacy Issue?
Brian Trammell
15 min
Aaron Falk: Struggling with the initial premise. -> Brain: Okay then give me
your IP address... one can tell if one are using the network or not. If one
pings frequently enough one can determine bulk transfer versus more
interactive. Stephane Bortzmeyer, AFNIC: Why do you need ICMP, there are other
ways, like TCP syn + reset pattern. -> Yes, but already measuring with ICMP.
Giovane Moura: Many networks treat pings differently, how does this affect the
results? -> Brian: yes some of the networks that doesn't have any load
indication may be a case of this. Will try using TCP. Wes Hardaker, ISI: Have
used DNS to determine peoples wake and sleep cycles of the inhabitants. This
gives you even more. Benjamin Damm, Itron: Appreciate the research, if you
don't see this a problem, you just haven't had anyone trying to hurt you.
Felipe Espinoza: Can also use this to monitor webserver to get cooperate
information e.g. how many people visit which website when. Lorenzo, Google: A
different advice, is to randomize the response time for ICMP. Probably in the
bad advice column.

Clusters in the Expanse: De-Aliasing IPv6 Hitlists
Quirin Scheitle
15 min

Erik Nygren: How do you handle load balanced clusters? -> A prefix of IP
addresses can go to any of the servers in the cluster. The original classifier
would be considered as aliased, but verification is likely to not considered to
be aliased. Lorenzo Colitti, Google: Set random TCP options to make the
fingerprinting less efficient. -> Yes, there are a number of reasonable
protections. Need to look at what we can do to prevent at protocol level from
allowing this type of fingerprinting. Tobias Fiebig, TU Berlin: Did you compare
clusters to IPv6-reverse-DNS-zones data set or other data set? -> We have
been in touch before. Igor Lubashev, Akamai: A pretty large IP prefix could
have multiple backend servers and distribute among them in a more random order.
Would not be classified as alias. Could one consider to detect a set of endhost
being the alias for the same address set? Tatauya Jinmei, Infoblox: What if one
have really large prefix. Found one /29 which was the same machine. Tim
Shepherd: was that a firewall? -> No, it was a NGIX.

Measuring the usable maximum packet size across Internet paths
Gorry Fairhurst
20 min
Aaron Falk: Some of the problems are in the network, some are in the
end-systems. Are you doing anything to fix this. -> Gorry thinks there are
some things that may be simple to fix, but the real solution is to address this
in the transport. Yoshifumi Nishida: Can we know where it happens and what
variations? -> Gorry answered that yes they have data for which hops.
Lorenzo: ICMP is unfixable which you show. Transport is the layer that can do
something. Important to not blackhole, and do not introduce latency. Thus start
small and do probe in parallel. The cost for failing is to high, thus the 1280
clamping in a lot of service for IPv6 -> Gorry: yes that is what DPLMTUD
does. Jana Iyangar, Fastly: What Lorenzo said is important. Not relying on ICMP
is the right way. Gorry doing SCTP and UDP is actually simpler as they normally
allow probe packets, while TCP has issues sending non data probe. Working on
QUIC to test the algorithm. Erik Nygren: Based on what you measured, do you get
any use out of path signaling, like MSS clamping. -> Gorry: It would be good
with a path signal, but MSS clamping is not the right signal, only a
side-effect. Ron Bonica is working on an IPv6 stack signal.

When the Dyke breaks: dissecting DNS Defenses during DDoS
Giovane C. M. Moura
20 min

Jon Reed: What if one authoritative server of several is hit. -> Results in
paper for this. Treated recursive layer as one block. Robert Kisteleki, Ripe
NCC: Put in measurements to be able to detect if the root servers are hit. Paul
Hoffman: I like the measurements, but not the conclusions. Due to the answer is
that one works, should have more focus on getting one authoritative instance
working. Jinmei Tatuya: Did you get information for the caches. The methodology
allows for determine what is coming from caches and what is not. If one change
what is provided from the caches, then one can determine what has been
stretched. Mark?, NL?: In the Netherlands we had an incident where the
recursive was unable to reach the authoritative, due to a DDoS on the recursive
uplink.  A: Depends on the recursive, but hard to answer based on this material.

Finding the source of DNS resolver users that were using old DNSSEC keys
Wes Hardaker
20 min

Roy Arends, ICANN: Double signing is not the only problem. The issues is when
you stop signing with the old key. Github contains a lot of cruft. Those 2000
results are only 300 unique files. Some of the repositories are very popular
and have been forked a lot. Davi?: Many are likely aware of the announcement,
but not the work that is being done. IOT devices appear to have a similar
problem with updates and trust anchors.  -> Wes: What is clear is that there
needed to be a longer time period to prepare for the roll over. After the
actual roll over there will be need to consider these issues more.